Beyond Internet security to risk management

August 14, 2007

Outrage Considered Useful

There's a bit of comment discussion going on in
Metricon Slides, and Viewed as PR
about counting vs. selling, in which the major point of agreement
seems to be that even at a metrics conference there weren't a lot
of metrics presented that were strategic and business-like.

Let's assume for a moment that we have such metrics, and listen to
Peter Sandman, whose website motto is Risk = Hazard + Outrage:

Sometimes, of course, senior management is as determined as you are to
take safety seriously. And sometimes when it’s not, its reservations
are sound: The risk is smaller than you’re claiming, or the evidence
is weak, or the precautions are untested or too expensive. But what’s
going on when a senior manager nixes your risk reduction recommendation
even though you can prove that it’s cost-effective, a good business
decision? Assume the boss isn’t too stupid to get it. If the evidence
clearly supports the precautions you’re urging, and the boss isn’t
dumb, why might the boss nonetheless have trouble assessing the evidence
properly?

As a rule, when smart people act stupid, something emotional is usually
getting in the way. I use the term “outrage” for the various
emotion-laden factors that influence how we see risk. Whether or not
a risk is actually dangerous, for example, we are all likely to react
strongly if the risk is unfamiliar and unfair, and if the people behind it
are untrustworthy and unresponsive. Factors like these, not the technical
risk data, pretty much determine our response. Risk perception researchers
can list the “outrage factors” that make people get upset about a
risk even if it’s not very serious.

performance anxiety ("If you can think of things I ought to do that I haven’t thought of, then I must not be very good at my job.")

He goes into more detail on these items, and he has a much longer list, as well.Then he recommends some strategies for dealing with safety outrage, including:

Suppose your VP half-thinks safety is beneath her. On the other hand,
she realizes that a bad safety record can really hurt the bottom
line. She’s ambivalent. So she does what ambivalent people do –
she goes to whichever seat on the seesaw you leave vacant. If you tell
her that safety needs more of her attention, she’s likely to feel
her stature/ego reservations that much more strongly. “I don’t do
safety. I’m a VP.” So instead you might want to say something like
this: “Look, you’re much too busy for this stuff. I figure the most
I deserve is ten minutes of your time to brief you on what I want to
do. You’re a VP and safety is not your main thing.” The odds are
pretty good that she’ll answer: “I need much more information than
that. I want to give much more attention to safety than that.”

So, can you see the average "just want to count" security professional
going to a VP with that humble attitude?
Or being willing to spend any time on learning such emotional
management skills?

And I don't recommend that ISTJs try to become ENFPs.
That way lies
a manipulative cult, not a healthy company.
Rather, this communication problem makes Jack Jones'
elaborate risk decision making organizational structure
look more attractive.
Personally, I find it hard to go for quite that much bureaucracy,
yet there probably does need to be a layer or two of bridging personalities
between the hardcore introverted thinking counting crew and the extraverted
emoting executives.

Still, the counting crew needs to come to realize this communication problem,
namely that presenting a hazard without outrage won't convince anybody
it's a risk.
Or, that abstraction plus emotion is not the same as lying.
Then they will have a chance of producing strategic and business-like
metrics.

TrackBack

Comments

Note that Jack's structure, as presented, is designed to be as complex as possible. It is a reductionist approach, a mind-mapping of all elements that should/might be beneficial.

Now 100% of organizations out there are performing all of those functions listed, they just are doing it in a rather ad-hoc method, or the analysis is done by "blink" or "gut".

I, like yourself, read Sandman as soon as Phil posted it to the mailing list (that may make us both geeks, but so be it). Two things come to mind:

1.) Outrage x Hazard may be a means to express risk within the context of the organization, but I like probability of loss event x probable magnitude of loss better for quantitative analysis.

2.) The term "Outrage" suggests that risk cannot or should not be discussed in a rational manner. One thing about FAIR and Jack specifically is the desire to drop a FUD approach. Maybe this reflects an optimists view of the abilities of data/business owners, but in the long run I think it's more beneficial to our profession than, as you term it, manipulation.

Also, bravo on the application of personality types. This is brilliant, and something maybe we can talk about at more length at some point.

John, I think I agree that the Sandman proposals are good to see, but troubling. They hide the underlying problems. Manipulation begets manipulation.

Short of actual psychological counselling (and, Sandman concurs in not recommending we say that to our bosses ;) I've only ever seen one approach to break out of that trap, which is the fifth discipline stuff.

Also, I thought he missed one important reason: if the VP can guess it won't happen on her watch, why should she spend her budget to return investment to the her successor?

Jared Diamond: Collapse: How Societies Choose to Fail or SucceedThe author examines societies from the smallest (Tikopia) to the largest (China) and why they have succeeded or failed, where failure has included warfare, poverty, depopulation, and complete extinction. He thought he could do this purely through examining how societies damaged their environments, but discovered he also had to consider climate change, hostile neighbors, trading partners, and reactions of the society to all of those, including re-evaluating how the society's basic suppositions affect survival in changed conditions.